Wireless broadband internet access via hotspots is convenient for both the casual surfer and the internet-dependent teleworker. Unfortunately, current security technologies integrated into wireless LAN (WLAN) products offer insufficient protection here, and mobile users must be wary when accessing the central company network via a hotspot. What is necessary is a security solution that protects the teleworkers place in all phases of connection construction on hotspots – without risky, foreboding configurations and without the help of users or administrators. The article illuminates the effectiveness of VPN security mechanisms, data encryption, strong authentication and personal firewalls and shows how optimal protection can be achieved by dynamically integrating each of these technologies.

Risks in the WLAN

Each user can access public WLANs with correspondingly equipped terminals. They automatically obtain an IP address in the sense that they recognize the SSID (service set identifier) of the WLAN, thus putting themselves within range of the access points, and able to access permission onto the WLAN. Data security or protection of participating devices from attacks is not guaranteed by the WLAN operator. Security is limited to monitoring authorized network access in order to eliminate misuse of the server administration. User identification serves solely for the acquisition and the accounting of time online. However, how does it look regarding the protection of sensitive information during data transmission? How can the PC optimally seal itself off from attacks from the WLAN and the Internet? Because the actual security risk on the hotspot originates from having to register with the operator outside the protected area of a VPN, as a rule it has to take place by means of the browser. During this timeframe, the terminal device is unprotected. This stands in opposition to the company’s security policy that prohibits direct surfing on the Internet and that only permits certain protocols.

Basically, VPN mechanisms and data encryption serve to protect confidentiality. The corresponding security standards are IPSec tunneling and AES encryption for data, and X.509 v3 for access protection. Additional security mechanisms, such as certificates in a PKI (public key infrastructure) or onetime password tokens complement/replace the usual user-ID and password. A personal firewall offers the required protective mechanisms against attacks from the Internet and from the public WLAN. Here, stateful packet inspection is critical. If this is not provided, it is not advised to use a hotspot for mobile computing.

VPN client and external personal firewall

For a VPN solution with a separately installed firewall, the ports for http/https data traffic to the personal firewall must be activated during hotspot registration. This can take place in three different ways:

1. The firewall rules for http/https are firmly preconfigured in order to guarantee the functionality with the desired hotspots.
2. The configuration allows that the ports are opened for http/https as needed for a certain time window (e.g. two minutes).
3. The user has administration rights and independently changes the firewall rules.

Spotlight

By working with the DevOps team, you can ensure that the production environment is more predictable, auditable and more secure than before. The key is to integrate your security requirements into the DevOps pipeline.

A critical vulnerability in ANTlabs InnGate devices, a popular Internet gateway for visitor-based networks and commonly installed in hotels and convention centers, has been discovered. The flaw could allow an attacker to monitor or tamper with traffic to and from any hotel WiFi user's connection.

In this interview, Raj Samani, VP and CTO EMEA at Intel Security, talks about successful information security strategies aimed at the critical infrastructure, government challenges, the role of regulation, and more.